b'      Department of Homeland Security\n\n\n\n\n\n     Information Technology Management Letter for the\n         FY 2012 U.S. Customs and Border Protection\n                   Financial Statement Audit\n\n\n\n\nOIG-13-88 (Revised)                              May 2013\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n                                               May 24, 2013\n\n\n\nMEMORANDUM FOR:              The Honorable Thomas S. Winkowski\n                             Deputy Commissioner\n                             Performing the duties of the Commissioner of CBP\n                             U.S. Customs and Border Protection\n\nFROM:                        Charles K. Edwards\n                             Deputy Inspector General\n\nSUBJECT:                      Information Technology Management Letter for the FY\n                              2012 U.S. Customs and Border Protection Financial\n                              Statement Audit-Revised\n\nAttached for your information is the revised version of the final report, Information\nTechnology Management Letter for the FY 2012 U.S. Customs and Border Protection\nFinancial Statement Audit. This report contains observations related to information\ntechnology internal control. The revision to the report included a corrected report title\nand a new Appendix D, which replaced Appendix A, Report Distribution.\n\nConsistent with our responsibility under the Inspector General Act, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Frank Deffer, Assistant\nInspector General for Information Technology Audits, at (202) 254-4100.\n\nAttachment\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nApril 4, 2013\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nU.S. Customs and Border Protection\n\nWe have audited the consolidated balance sheets of the U.S. Customs and Border Protection\n(CBP), a Component of the U.S. Department of Homeland Security (DHS), as of September 30,\n2012, and 2011, and the related consolidated statements of net cost, changes in net position, and\ncustodial activity, and the combined statements of budgetary resources (hereinafter referred to as\n\xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for the years then ended. In planning and performing our\naudit engagement of CBP\xe2\x80\x99s consolidated financial statements, we considered CBP\xe2\x80\x99s internal\ncontrol over financial reporting in order to determine our auditing procedures for the purpose of\nexpressing our opinion on the consolidated financial statements.\nIn connection with our fiscal year (FY) 2012 engagement, we considered CBP\xe2\x80\x99s internal control\nover financial reporting by obtaining an understanding of CBP\xe2\x80\x99s internal controls, determining\nwhether internal controls had been placed in operation, assessing control risk, and performing\ntests of controls in order to determine our procedures. We limited our internal control testing to\nthose controls necessary to achieve the objectives described in Government Auditing Standards\nand the Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for\nFederal Financial Statements, as amended. We did not test all internal controls relevant to\noperating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of\n1982. The objective of our audit engagement was not to provide an opinion on the effectiveness\nof CBP\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not express an opinion\non the effectiveness of CBP\xe2\x80\x99s internal control over financial reporting.\nOur audit engagement of CBP as of, and for the year ended, September 30, 2012, disclosed a\nsignificant deficiency in the areas of Information Technology (IT) security management, access\ncontrols, configuration management, segregation of duties, contingency planning, and\napplication controls. These matters are described in the General IT Control Findings and\nRecommendations and the Application Control Finding and Recommendation sections of this\nletter.\nThe significant deficiency described above is presented in our Independent Auditors\xe2\x80\x99 Report,\ndated January 25, 2013. This letter represents the separate restricted distribution letter\nmentioned in that report.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through Notices of Findings and Recommendations (NFRs),\nand are intended For Official Use Only.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate. We\naim to use our knowledge of CBP gained during our audit engagement to make comments and\nsuggestions that are intended to improve internal control over financial reporting or result in\nother operating efficiencies.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key CBP financial systems and IT infrastructure within the scope of the FY 2012\nCBP consolidated financial statement audit in Appendix A; a description of each internal control\nfinding in Appendix B; and the current status of the prior year NFRs in Appendix C.\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General (OIG), U.S. OMB, U.S. Government Accountability Office (GAO), and the\nU.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\nVery truly yours,\n\x0c                              Department of Homeland Security\n                             U.S. Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2012\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                      TABLE OF CONTENTS\n\n                                                                                             Page\n\nObjective, Scope, and Approach                                                                1\n\nSummary of Findings and Recommendations                                                       2\n\nGeneral IT Control Findings and Recommendations                                               3\n\n   Findings                                                                                   3\n\n       Security Management                                                                    3\n\n            After \xe2\x80\x93 Hours Physical Security Testing                                           4\n\n       Access Control                                                                         5\n\n       Configuration Management                                                               5\n\n       Segregation of Duties                                                                  6\n\n       Contingency Planning                                                                   6\n\n   Recommendations                                                                            6\n\n       Security Management                                                                    6\n\n       Access Control                                                                         6\n\n       Configuration Management                                                               7\n\n       Segregation of Duties                                                                  7\n\n       Contingency Planning                                                                   8\n\nApplication Control Finding and Recommendation                                                8\n\n\n                                          APPENDICES\n\nAppendix                                       Subject                                       Page\n\n           Description of Key CBP Financial Systems and IT Infrastructure within the Scope\n   A                                                                                          9\n           of the FY 2012 CBP Financial Statement Audit\n\n   B       FY 2012 Notices of IT Findings and Recommendations                                11\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison \n\n   C                                                                                         15\n           to Current Year Notices of Findings and Recommendations\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S Customs and Border Protection\n                               Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                                U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nWe have audited the consolidated balance sheets of the U.S. CBP, a component of the U.S. DHS, and\nrelated consolidated statements of net cost, changes in net position, and custodial activity, and the\ncombined statements of budgetary resources (hereinafter, referred to as \xe2\x80\x9cconsolidated financial\nstatements\xe2\x80\x9d) as of September 30, 2012, and 2011. In connection with our engagement to audit CBP\xe2\x80\x99s\nconsolidated financial statements, we performed an evaluation of general Information Technology (IT)\ncontrols (GITCs), to assist in planning and performing our audit engagement. The Federal Information\nSystem Controls Audit Manual (FISCAM), issued by the GAO, formed the basis of our GITC evaluation\nprocedures. The scope of the GITC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of the GITCs and the IT environment:\n\n   Security Management (SM) \xe2\x80\x93 Controls provide reasonable assurance that security management is\n   effective.\n\n   Access Control (AC) \xe2\x80\x93 Controls provide reasonable assurance that access to computer resources (data,\n   equipment, and facilities) is reasonable and restricted to authorized individuals.\n\n   Configuration Management (CM) \xe2\x80\x93 Controls provide reasonable assurance that changes to\n   information system resources are authorized and systems are configured and operated securely and as\n   intended.\n\n   Segregation of Duties (SD) \xe2\x80\x93 Controls provide reasonable assurance that incompatible duties are\n   effectively segregated.\n\n   Contingency Planning (CP) \xe2\x80\x93 Controls provide reasonable assurance that contingency planning: (1)\n   protects information resources and minimizes the risk of unplanned interruptions and (2) provides for\n   recovery of critical operations should interruptions occur.\n\nTo complement our GITC audit procedures, we also performed technical security testing for key network\nand system devices, as well as testing over key financial application controls in the CBP environment.\nThe technical security testing was performed from within select CBP facilities, and focused on production\ndevices that directly support key general support systems.\n\nIn addition, we performed application control tests on a limited number of CBP\xe2\x80\x99s financial systems. The\napplication control testing was performed to assess the controls that support the financial systems\xe2\x80\x99\ninternal controls over the input, processing, and output of financial data and transactions. FISCAM\ndefines application controls as follows: Application controls are the structure, policies, and procedures\nthat apply to separate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                  Page 1\n\n\x0c                                 Department of Homeland Security\n                                U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2012, CBP took corrective action to address prior year IT control weaknesses. For example,\nCBP made improvements in various system logical access processes and system security settings.\nHowever, during FY 2012, we identified new and continuing GITC weaknesses that could potentially\nimpact CBP\xe2\x80\x99s financial data. The most significant weaknesses related to controls over access to programs\nand data, segregation of duties, and configuration management. Collectively, the IT control weaknesses\nlimited CBP\xe2\x80\x99s ability to ensure that critical financial and operational data were maintained in such a\nmanner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively\nimpacted the internal controls over CBP financial reporting and its operations, and we considered them to\ncollectively represent a significant deficiency for CBP under standards established by the American\nInstitute of Certified Public Accountants. The IT findings were combined into a significant deficiency\nregarding IT for the FY 2012 audit of the CBP consolidated financial statements. In addition, based upon\nthe results of our test work, we noted that CBP contributes to the DHS\xe2\x80\x99 non-compliance with the\nrequirements of the Federal Financial Management Improvement Act of 1996.\n\nIn FY 2012, our IT audit work identified 46 IT findings, of which 21 were repeat findings from the prior\nyear and 25 were new findings. In addition, we determined that CBP remediated 15 IT findings identified\nin the prior year. Collectively, these findings represent deficiencies in all five FISCAM key control areas,\nas well as deficiencies related to financial system functionality. These weaknesses may increase the risk\nthat the confidentiality, integrity, and availability of system controls and CBP financial data could be\nexploited thereby compromising the integrity of financial data used by management and reported in\nCBP\xe2\x80\x99s financial statements.\n\nThe recommendations made by us in this report are intended to be helpful, and may not fully remediate\nthe related deficiency. CBP management has the responsibility to determine the most appropriate\nmethods for addressing the weaknesses identified.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                  Page 2\n\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n            GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\n\nDuring our engagement to audit the FY 2012 CBP financial statements, we identified the following CBP\nGITC and financial system control deficiencies that in the aggregate are considered a significant\ndeficiency at CBP and in the aggregate contribute to the IT material weakness at the Department level:\n\nSecurity Management\n\n   Systems Security Authorization :\n   -   Interconnection security agreements (ISA) were expired and not fully documented for multiple\n       systems;\n   -   Several financial systems and general support systems were not properly certified and accredited,\n       in compliance with DHS policy; and\n   -   Privacy Threshold Analyses and Privacy Impact Assessments, Risk Assessments and Security\n       Assessment Reports were not updated or approved in compliance with DHS policy for multiple\n       systems.\n   System Security Plans (SSP) did not reflect the current system environment, to include a current \n\n   listing of external system connections for multiple systems.\n\n   Lack of compliance with existing policies:\n\n   -   IT-based specialized security training requirements had not been fully implemented and enforced; \n\n   -   Background reinvestigations of Federal employees and contractors employed to operate, manage\n\n       and provide security over IT systems were not being properly conducted;\n   -   Non-disclosure agreements (NDAs) were not consistently completed; and\n   -   Exit processing procedures for transferred/terminated personnel, including contractors, were not\n       consistently followed or communicated internally in a timely manner.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                 Page 3\n\n\x0c                                  Department of Homeland Security\n                                 U.S. Customs and Border Protection\n                              Information Technology Management Letter\n                                         September 30, 2012\n\nAfter-Hours Physical Security Testing\n\nDuring the after-hours physical security walkthrough of selected CBP locations in the Washington, DC\narea, 104 instances were identified where assets and information were inadequately protected against\nunauthorized access, misuse, or misappropriation. Specific weaknesses identified and the locations where\nthe instances were identified are included in the following matrix:\n\nExceptions Noted (1)   National         NDC 2      Beauregard      Falls         National     Total\n                       Data                                        Church        Place        Exceptions\n                       Center\n                       (NDC) 1\n\nPasswords (2)          5                0          1               0             3            9\n\nFor Official Use       24               5          4               4             6            43\nOnly\n\nKeys                   3                1          0               0             0            4\n\nPersonally             1                1          1               1             7            11\nIdentifiable\nInformation\n\nUnlocked               2(4)             1          0               0             1(5)         4\nLaptop/Workstation\n\nServer                 21               3          0               1             0            25\nNames/Internet\nProtocol (IP)\nAddresses (3)\n\nCredit Cards           0                0          0               0             2            2\n\nClassified             0                0          0               0             0            0\nDocuments\n\nExternal Drives,       0                0          0               3             3            6\nOther Media,\nBlackberries, etc.\n\nTotal Exceptions at    56               11         6               9             22           104\nCBP\n\nNotes:\n(1) The number of offices and cubicles inspected does not equal the total number of exceptions identified,\nsince one office/cubicle may have had multiple exceptions.\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n                                                 Page 4\n\x0c                                 Department of Homeland Security\n                                U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n(2) Attempts to login to the systems with the identified passwords were not performed. However, we\nassumed that the identified passwords were valid passwords.\n (3) The unit of measure for Server Names/IP Addresses exceptions is at the document level, rather than\nat the individual server name/IP addresses level. For example, if a document contained multiple IP\naddresses, only one exception was noted. Consequently, each noted exception may contain multiple\ninstances of Server Names/IP Addresses. In addition, IP address findings were not differentiated between\nIP addresses within a network diagram vs. IP addresses not on a network diagram.\n (4) One unattended laptop was observed to be unlocked and did not display a password-protected\nscreensaver.\n(5) One unattended workstation was observed to be unlocked and did not display a password-protected\nscreensaver.\n(6) Note that approximately 15 desks / offices were examined at each of the locations above.\n\nAccess Control\n\n   Ineffective safeguards over logical and physical access to sensitive facilities and resources:\n    -   The physical access management system does not generate complete and accurate listings of\n        users with access to the location where systems are physically hosted;\n   Deficiencies in management of application and/or database accounts, network, and remote user\n   accounts:\n   -    User account lists and/or change logs were not periodically reviewed for appropriateness;\n   -    Excessive user access privileges were allowed for several systems, and users logical access to\n        systems and data was not disabled or removed promptly upon personnel termination; and\n   -    The process for authorizing and managing access to component systems and networks, including\n        virtual private network and other remote access, did not comply with DHS and CBP\n        requirements.\n   Ineffective or insufficient use of available audit logs:\n   -    Logs of auditable events were not being completed appropriately, were not reviewed to identify\n        potential incidents, or were reviewed by those with conflicting roles; and\n   -    Shared user accounts exist on the database and actions are not explicitly traceable to the users\n        who executed the action.\n\nConfiguration Management\n\n   Security patch management and configuration deficiencies were identified during the vulnerability\n   assessment on hosts supporting the key financial applications and general support systems.\n   The process for documenting, authorizing, testing and migrating application software changes and\n   implementing operating system and database patches into production did not comply with DHS and\n   component requirements.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                   Page 5\n\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2012\n\nSegregation of Duties\n\n   Lack of evidence to show that least privilege and segregation of duties controls exist for two systems.\n   Lack of monitoring developer\xe2\x80\x99s emergency and temporary access to the production environment.\n\nContingency Planning\n\n   Service continuity plans were not reviewed in compliance with DHS policy.\n\nRecommendations:\n\nWe recommend that the CBP Chief Information Officer (CIO) and Chief Financial Officer (CFO), in\ncoordination with the DHS Office of Chief Information Officer and the DHS Office of the Chief Financial\nOfficer, make the following improvements to CBP\xe2\x80\x99s financial management systems and associated\ninformation technology security program:\n\nSecurity Management\n   Document and renew interconnection documents on a timely basis, and update SSPs to reflect current\n   external system connections;\n   Initiate all outstanding periodic reinvestigations by the end of the fiscal year 2012 as required by DHS\n   policy;\n   Reiterate NDA policy requirements to the Contracting Officer\xe2\x80\x99s Representatives (CORs). Validate\n   the process for completing and filing NDAs and implement improvements to ensure NDAs are\n   appropriately completed;\n   Ensure all roles with significant information security responsibilities are identified and defined.\n   Ensure all employee and contractor personnel possessing these roles participate in and receive the\n   appropriate Role-based Security Training (RBST) on an annual basis. Monitor those positions to\n   ensure all employees and contractors participate in and receive the appropriate RBST;\n   Ensure that all security authorization documentation is updated and reviewed at the frequency\n   required by DHS policy; and\n   Issue reminders to Federal Supervisors and CORs on the Federal employee and contractor separation\n   clearance process. Ensure that Human Resources has included separation clearance as part of any\n   Federal Supervisor and COR reference guides.\n\nAfter-Hours Physical Security Testing:\n\n   Provide security awareness training to all CBP employees through multiple mediums each year.\n   Continuously remind users to protect passwords, sensitive information, and CBP media. Continue\n   efforts to enhance the CBP security awareness campaigns, and focus on desktop reviews.\n\nAccess Control\n\n   Ensure that the physical access management system is updated with a complete and accurate listing of\n   users with access to the raised floor. Update physical security procedures to include any changes to\n   the physical access management process;\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                 Page 6\n\n\x0c                                 Department of Homeland Security\n                                U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n   Explore capabilities to extract data for instances where developers have been granted emergency\n   access to production. If the capabilities exist, develop and implement a process to review these\n   actions for appropriateness;\n   Implement and configure technology to record user account changes, update and implement processes\n   for identifying and reconciling changes to access privileges to source documentation, and ensure that\n   reviews over changes to access privileges are performed as required by DHS policy;\n   Update the configuration setting for disabling operating system user accounts after a period of\n\n   inactivity;\n\n   Evaluate and update the current processes for provisioning access and ensure that all requests for\n   general and emergency access to applications, systems, and networks, including remote users, are\n   supported by an appropriately authorized request for access. Conduct periodic internal verification\n   reviews and training to ensure that security administrators and supervisors are enforcing compliance\n   with these processes;\n   Evaluate and update the current annual recertification process to ensure that all privileged and non-\n   privileged user access is recertified, revalidated, and updated as required;\n   Evaluate and update system user separation processes to ensure the user access is revoked in a timely\n   manner when personnel are transferred, separated from the organization, or when job duties change\n   and the user no longer needs system access;\n   Implement a process for logging changes to critical and sensitive data and regularly review the\n   contents of these logs as required by DHS policy. Maintain evidence of the review of these logs; and\n   Require each database administrator to authenticate to the database using unique identifiers rather\n   than shared user identifiers.\n\nConfiguration Management\n\n   Develop a central repository for all artifacts related to change requests to ensure that all change\n   requests are appropriately authorized and tested from initiation to completion;\n   Evaluate change management and patching processes to ensure compliance with DHS policies.\n   Enforce a timely approval and implementation of standard and emergency application changes and\n   operating system and database patches; and\n   Review all patching processes to ensure compliance with DHS policy. Resolve all vulnerabilities\n   noted in the IT technical vulnerability assessment scan results. Remove all software no longer\n   utilized or not authorized for use from all identified systems.\n\nSegregation of Duties\n\n   Implement segregation of application user duties within the access management system; and\n   Establish a regular review of audit logs for indications of inappropriate or unusual activity where\n   duties cannot be adequately segregated due to operational factors.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                  Page 7\n\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2012\n\nContingency Planning\n\n    Ensure that all security authorization documentation, including contingency plans, is updated and\n    reviewed on the frequency as required by DHS policy.\n\n\n            APPLICATION CONTROL FINDING AND RECOMMENDATION\n\nDuring the FY 2012 CBP financial statement audit, we identified the following application control and\nfinancial system functionality deficiency that, when aggregated with the GITC deficiencies, is considered\na significant deficiency:\n\nFinding:\n\nOne financial system lacks the controls necessary to prevent, or detect and correct excessive drawback\nclaims. Specifically, the programming logic for the system does not link drawback claims to imports at a\ndetailed, line item level. This would potentially allow the importer to receive payment in excess of an\nallowable amount.\n\nRecommendation:\n\nWe recommend that the CBP CIO and CFO, in coordination with the DHS Office of Chief Information\nOfficer and the DHS Office of the Chief Financial Officer continue to pursue alternative compensating or\nautomated controls and measures that may ultimately remediate the risk of overpayment and identify the\npotential revenue loss exposure to CBP. These alternative internal controls over drawback claims may\nresult in the capability to compare, verify, and track essential information on drawback claims and\nidentify duplicate or excessive drawback claims.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                 Page 8\n\n\x0c                                                                               Appendix A\n                            Department of Homeland Security\n                           U.S. Customs and Border Protection\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                     Appendix A\n Description of Key CBP Financial Systems and IT Infrastructure\n within the Scope of the FY 2012 CBP Financial Statement Audit\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                          Page 9\n\n\x0c                                                                                            Appendix A\n                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n\n\nBelow is a description of significant U.S. Customs and Border Protection (CBP) financial management\nsystems and supporting information technology (IT) infrastructure included in the scope of CBP\xe2\x80\x99s FY\n2012 financial statement audit.\nAutomated Commercial Environment (ACE)\nACE is the commercial trade processing system being developed by CBP to facilitate trade while\nstrengthening border security. It is CBP\xe2\x80\x99s plan that this system will replace the Automated Commercial\nSystem (ACS) when ACE is fully implemented. The mission of ACE is to implement a secure,\nintegrated, government-wide system for the electronic collection, use, and dissemination of international\ntrade and transportation data essential to Federal agencies. ACE is being deployed in phases, without a\nfinal, full deployment date due to funding setbacks. As ACE is partially implemented now and processes\na significant amount of revenue for CBP, ACE was included in full scope in the FY 2012 financial\nstatement audit. The ACE system is located in Virginia (VA).\nAutomated Commercial System (ACS)\nACS is a collection of mainframe-based business process systems used to track, control, and process\ncommercial goods and conveyances entering the United States territory, for the purpose of collecting\nimport duties, fees, and taxes owed to the Federal Government. ACS collects duties at ports, collaborates\nwith financial institutions to process duty and tax payments, provides automated duty filing for trade\nclients, and shares information with the Federal Trade Commission on trade violations and illegal\nimports. The ACS system was included in full scope in the FY 2012 financial statement audit. The ACS\nsystem is located in VA.\nNational Data Center \xe2\x80\x93 DC Metro Local Area Network (DC Metro LAN)\nThe DC Metro LAN provides more than 10,000 CBP contractors and employee user\xe2\x80\x99s access to\nenterprise-wide applications and systems. The mission of the DC Metro LAN is to support the mission of\nCBP operational elements in the DC Metro LAN region of the organization. These tools include personal\ncomputers, laptop computers, printers and file/print servers which enable CBP officers and agents to\ninteract with all other applications and systems in the CBP environment. There are 21 major applications\nsupported by the DC Metro LAN, including ACE and ACS. As the DC Metro LAN included the\nenvironment where the ACE, ACS, and SAP applications physically reside, the DC Metro LAN was\nincluded in the FY 2012 financial statement audit. The DC Metro LAN is located in VA.\nSystems, Applications, and Products, Enterprise Central Component (SAP ECC)\nSAP is a client/server-based financial management system and includes the Funds Management, Budget\nControl System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special\nPurpose Ledger, and Accounts Payable modules. These modules are used by CBP to manage assets (e.g.,\nbudget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations:\ntrade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP\nECC financial management system was included in full scope in the FY 2012 financial statement audit.\nThe SAP ECC system is located in VA.\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                                Page 10\n\n\x0c                                                                               Appendix B\n                            Department of Homeland Security\n                           U.S. Customs and Border Protection\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                     Appendix B\n\n        FY 2012 Notices of IT Findings and Recommendations\n\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                         Page 11\n\n\x0c                                                                                                                        Appendix B\n                                                 Department of Homeland Security\n                                                U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                        September 30, 2012\n\n                                                                                                                   New     Repeat\nFY 2011 NFR #                                    NFR Title                               FISCAM Control Area\n                                                                                                                   Issue    Issue\nCBP-IT-12-01    Physical Security Issues Identified During Enhanced Security Testing        Access Controls                  X\nCBP-IT-12-02    Inadequate Role-Based Security Training Program                           Security Management                X\nCBP-IT-12-03    Segregation of Duties Control Weaknesses within CBP System                  Access Controls                  X\nCBP-IT-12-04    CBP System User Profile Change Logs are not Reviewed                        Access Controls                  X\nCBP-IT-12-05    CBP System User Profile Change Logs are not Reviewed                        Access Controls                  X\nCBP-IT-12-06    Weaknesses in Creating New CBP System Accounts                              Access Controls                  X\nCBP-IT-12-07    CBP System Audit Logs not Appropriately Reviewed                            Access Controls                  X\n                Incomplete Background Re-Investigations for CBP Employees and\nCBP-IT-12-08                                                                              Security Management                X\n                Contractors\nCBP-IT-12-09    Contractor NDAs are Incomplete                                            Security Management                X\nCBP-IT-12-10    Lack of Annual Recertification for CBP System Application Users             Access Controls         X\nCBP-IT-12-11    Incomplete Documentation of ISAs for CBP System Connections                 Access Controls         X\nCBP-IT-12-12    Inadequate Documentation for CBP System Application Software Changes    Configuration Management    X\n                CBP System DB2 Database Patches are not Documented and Implemented\nCBP-IT-12-13                                                                            Configuration Management    X\n                Appropriately\n                CBP System AIX Operating System Patches are not Implemented\nCBP-IT-12-14                                                                            Configuration Management    X\n                Appropriately\n                CBP System Production and Training Operating Systems Vulnerability\nCBP-IT-12-15                                                                            Configuration Management             X\n                Scanning Process Weaknesses and Scan Results\nCBP-IT-12-16    Lack of Access Requests and Approvals for CBP System Accounts               Access Controls                  X\n                Lack of Monitoring Developer Emergency/Temporary Access to CBP\nCBP-IT-12-17                                                                                Access Controls                  X\n                System Production\nCBP-IT-12-18    Lack of Annual Recertification for CBP System Privileged Users              Access Controls         X\n\n\n\n   Information Technology Management Letter for the FY 2012 U.S. Customs and Border Protection Financial Statement Audit \n\n\n                                                                  Page 12\n\n\x0c                                                                                                                          Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2012\n\n                                                                                                                     New     Repeat\nFY 2011 NFR #                                   NFR Title                                  FISCAM Control Area\n                                                                                                                     Issue    Issue\nCBP-IT-12-19    Incomplete Documentation of ISAs for CBP System Connections                   Access Controls                  X\nCBP-IT-12-20    Inadequate Documentation for CBP System Application Software Changes      Configuration Management    X\n                CBP System LPARs and Linux z/OS Vulnerability Scanning Process\nCBP-IT-12-21                                                                              Configuration Management    X\n                Weaknesses and Scan Results\nCBP-IT-12-22    CBP System Raised Floor Access Weaknesses                                     Access Controls         X\nCBP-IT-12-23    Lack of Functionality in the CBP System                                     Application Controls               X\nCBP-IT-12-24    Inadequate Documentation of CBP System Access Requests                        Access Controls                  X\n                Incomplete Access Request Approval Forms for New Remote Access User\nCBP-IT-12-25                                                                                  Access Controls                  X\n                Account\n                CBP System Security Authorization Documentation is Not Documented,\nCBP-IT-12-26                                                                                  Access Controls         X\n                Approved, and Kept Up-To Date.\nCBP-IT-12-27    Separated Personnel on CBP System User Listing                                Access Controls         X\n                Lack of Annual Recertification for CBP System Application, Oracle\nCBP-IT-12-28                                                                                  Access Controls         X\n                Database and Operating System Account Recertifications\nCBP-IT-12-29    CBP System Audit Logs are not Appropriately Reviewed                          Access Controls         X\nCBP-IT-12-30    CBP System Technical Vulnerability Weaknesses                             Configuration Management    X\nCBP-IT-12-31    Lack of Complete Review of CBP System Profile Changes                         Access Controls         X\nCBP-IT-12-32    CBP System Vulnerability Scanning Process Weaknesses and Scan Results     Configuration Management    X\n                CBP System Configuration Setting for Disabling Inactive Accounts is not\nCBP-IT-12-33                                                                                  Access Controls         X\n                Configured Appropriately\nCBP-IT-12-34    Incomplete Documentation of ISAs for CBP System Connections                   Access Controls         X\n                CBP System Oracle Database and Unix Operating Systems Patches are not\nCBP-IT-12-36                                                                              Configuration Management    X\n                Documented and Implemented Appropriately\nCBP-IT-12-38    Employee Separation Process Weaknesses                                      Security Management                X\n\n\n   Information Technology Management Letter for the FY 2012 U.S. Customs and Border Protection Financial Statement Audit \n\n\n                                                                  Page 13\n\n\x0c                                                                                                                                   Appendix B\n                                                         Department of Homeland Security\n                                                        U.S. Customs and Border Protection\n                                                     Information Technology Management Letter\n                                                                September 30, 2012\n\n                                                                                                                              New     Repeat\n    FY 2011 NFR #                                        NFR Title                                  FISCAM Control Area\n                                                                                                                              Issue    Issue\n     CBP-IT-12-39        Contractor Separation Process Weaknesses                                    Security Management                X\n                         CBP System Segregation of Duties Weaknesses over the Production\n     CBP-IT-12-40                                                                                  Configuration Management             X\n                         Environment\n                         CBP System Security Authorization Documentation is Not Documented,\n     CBP-IT-12-41                                                                                      Access Controls         X\n                         Approved, and Kept Up-To Date.\n                         CBP System Security Authorization Documentation is Not Documented,\n     CBP-IT-12-42                                                                                      Access Controls         X\n                         Approved, and Kept Up-To Date.\n                         CBP System Security Authorization Documentation is Not Documented,\n     CBP-IT-12-43                                                                                      Access Controls         X\n                         Approved, and Kept Up-To Date.\n                         CBP System Program Library Access not Documented and Approved\n     CBP-IT-12-45                                                                                  Configuration Management    X\n                         Appropriately.\n     CBP-IT-12-46        Separated Personnel on CBP System User Listing                                Access Controls         X\n     CBP-IT-12-47        Separated Personnel on CBP System User Listing                                Access Controls                  X\n                         Separated Personnel on CBP System Application and Operating System User\n     CBP-IT-12-48                                                                                      Access Controls                  X\n                         Listing\n     CBP-IT-12-49        CBP System Audit Log Review Weaknesses                                        Access Controls         X\n\nNote 1: NFRs numbers CBP-IT-12-35, CBP-IT-12-37 and CBP-IT-12-44 were not used in this sequence.\nNote 2: Specific system names were replaced with \xe2\x80\x9cCBP System\xe2\x80\x9d for security purposes.\n\n\n\n\n         Information Technology Management Letter for the FY 2012 U.S. Customs and Border Protection Financial Statement Audit\n\n                                                                          Page 14\n\x0c                                                                               Appendix C\n                            Department of Homeland Security\n                           U.S. Customs and Border Protection\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                     Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and \n\n                        Recommendations\n\n\n\n\n\nInformation Technology Management Letter for the FY 2012 U.S. Customs and Border Protection\n                               Financial Statement Audit\n\n\n                                         Page 15\n\n\x0c                                                                                                                             Appendix C\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2012\n\n                                                                                                                    Disposition\n   NFR #                                                Description\n                                                                                                           Closed            Repeat\nCBP-IT-11-01    Security Awareness Issued Identified During Enhanced Security Testing                        X\nCBP-IT-11-02    Physical Security Issues Identified during Enhanced Security Testing                                              X\nCBP-IT-11-03    Inadequate Role-based Security Training Program                                                                   X\nCBP-IT-11-04    Segregation of Duties Control Weaknesses within the CBP System                                                    X\n                CBP System User Access Profile Change Log Review Procedures Have Not Been\nCBP-IT-11-05                                                                                                                      X\n                Implemented\nCBP-IT-11-07    Lack of Monitoring of Developer Emergency/Temporary Access to CBP System Production                               X\nCBP-IT-11-08    Lack of Monitoring of CBP System Novell Server Audit Logs                                    X\nCBP-IT-11-09    Lack of Update to CBP System Contingency Plan                                                X\nCBP-IT-11-10    Lack of Update to CBP System Security Plan                                                   X\n                Background Investigations and Reinvestigations for CBP Employees and Contractors are not\nCBP-IT-11-11                                                                                                                      X\n                Completed\n                Contractor Separation Procedures are not Updated and Contractor Separation forms are not\nCBP-IT-11-12                                                                                                                      X\n                Maintained\nCBP-IT-11-13    Lack of Access Requests and Approval for CBP System Accounts                                                      X\nCBP-IT-11-14    CBP System Profile Change Logs are not Reviewed                                                                   X\nCBP-IT-11-15    CBP System User Access Form Documentation is Incomplete                                                           X\nCBP-IT-11-16    CBP System Privileged User Recertification is Incomplete                                     X\nCBP-IT-11-17    Remote User Access Form Documentation is Incomplete                                                               X\nCBP-IT-11-18    CBP System Interconnection Security Agreements are Incomplete                                                     X\nCBP-IT-11-19    Contractor Non-Disclosure Agreement Weaknesses                                                                    X\nCBP-IT-11-20    Employee Separations Weaknesses                                                                                   X\n\n\n\n  Information Technology Management Letter for the FY 2012 U.S. Customs and Border Protection Financial Statement Audit \n\n\n                                                                  Page 16\n\n\x0c                                                                                                                       Appendix C\n                                                       Department of Homeland Security\n                                                      U.S. Customs and Border Protection\n                                                   Information Technology Management Letter\n                                                              September 30, 2012\n\n                                                                                                              Disposition\n        NFR #                                                   Description\n                                                                                                     Closed            Repeat\n    CBP-IT-11-21        CBP System Audit Log Review Weaknesses                                                              X\n    CBP-IT-11-22        CBP System User Access Authorization Evidence Weakness                                              X\n    CBP-IT-11-23        CBP System Security Test & Evaluation Weakness                                 X\n    CBP-IT-11-24        CBP System Configuration Management Policies and Procedures not Finalized      X\n    CBP-IT-11-25        CBP System Account Authentication Weaknesses                                   X\n    CBP-IT-11-26        CBP System Audit Log Review Weaknesses                                         X\n    CBP-IT-11-27        Security Weaknesses Identified during Technical Vulnerability Assessment                            X\n    CBP-IT-11-28        Security Posture of CBP Workstations                                           X\n    CBP-IT-11-30        Separated Personnel on CBP System User Listings                                                     X\n    CBP-IT-11-31        CBP System Functionality Issues                                                                     X\n    CBP-IT-11-32        CBP System User Account Termination Weaknesses                                                      X\n    CBP-IT-11-33        CBP System Security Test & Evaluation Weakness                                 X\n    CBP-IT-11-34        CBP System Security Test & Evaluation Weakness                                 X\n    CBP-IT-11-35        Evidence of Personnel Authorization to Access Backup Media Not Available       X\n    CBP-IT-11-36        CBP System Recertification Weaknesses                                          X\n    CBP-IT-11-37        CBP System Privileged User Access Management Process Weaknesses                X\n    CBP-IT-11-38        CBP System Privileged User Segregation of Duties Weaknesses                                         X\n\nNote 1: NFRs numbers CBP-IT-11-06 and CBP-IT-11-29 were not used in the FY 2011 IT NFR sequence.\nNote 2: Specific system names were replaced with \xe2\x80\x9cCBP System\xe2\x80\x9d for security purposes.\n\n\n\n\n       Information Technology Management Letter for the FY 2012 U.S. Customs and Border Protection Financial Statement Audit\n\n                                                                          Page 17\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n   Appendix D\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Financial Officer\n   Chief Information Officer\n   Chief Information Security Officer\n   Acting Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                                            OIG-13-88\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'